Wireless Networks Authentication

Over the past year, the Wi-Fi Alliance has spearheaded an effort to bring to market a standards-based interoperable security specification that would greatly increase the level of data protection and access control for Wi-Fi wireless local area networks. That specification is Wi-Fi Protected Access (WPA).

WPA

WPA addresses the flaws in Wired Equivalent Privacy (WEP). By 2001, WEP’s cryptographic weaknesses had become well-known. A series of independent studies from various academic and commercial institutions had shown that an intruder equipped with the proper tools and a moderate amount of technical knowledge could gain unauthorized access to a WLAN even with WEP enabled. In spite of its flaws, WEP did provide a margin of security compared to no security at all. It remained useful for deflecting eavesdroppers in home and small office/home office (SOHO) environments where network traffic is light. However, it was not sufficient for enterprise use.

Concerned that the lack of strong native wireless security would hinder the adoption of Wi-Fi devices into the market, the Wi-Fi Alliance, in conjunction with the IEEE, initiated an effort to bring a strongly improved, standards-based, interoperable Wi-Fi security solution to market. WPA is that solution. WPA addresses Wi-Fi security with a strong new encryption algorithm as well as user authentication, a feature that was largely missing in WEP. When properly installed, it provides a high level of assurance that user data will remain protected and that only authorized users may access the network. With WPA enabled, enterprises can offer employees the ease and flexibility of working wirelessly and securely without deploying add-on security solutions, such as VPNs. Enterprise users as well as those at home and in SOHO environments, have a strong security for their network. Wireless Internet service providers (WISPs) may also find that WPA’s enhanced encryption and authentication schemes are attractive in public “hotspots” as they provide a high level of security for service providers and mobile users who are not utilizing VPN connections.

WPA addresses all known vulnerabilities in WEP to ensure data authenticity on wireless LANs and protect against even the most targeted hacker attacks. Cryptographers have reviewed Wi-Fi Protected Access and have verified that it meets its claims to close all known WEP vulnerabilities and provides an effective deterrent against known attacks. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption and employs 802.1X authentication with one of the standard Extensible Authentication Protocol (EAP) types available today.

Encryption and Authentication

The two primary means of securing a network are encryption and authentication. Encryption is a means of disguising, or scrambling, messages according to a secret key known only to the sender and receiver. Authentication is a means of ensuring that users are who they say they are before they are authorized to access the network. Both should be present in an enterprise-class security solution. And, ideally, the methods should work together and complement each other. Virtually any encryption scheme can be broken if a hacker has the time and resources to gather a sufficient amount of data that can be analyzed to deduce the secret key. Keys are determined by algorithms that specify the length and content of the key or how often the key is changed, or both. As a rule of thumb, as the key size lengthens, a greater amount of data must be collected and analyzed in order to correctly deduce it.

The ability to eventually “hack” an encryption method is the primary reason that security should be a constantly evolving technology. Similarly, the shorter the amount of time that is allowed before the key is changed, the less likely it becomes that the data can be analyzed and the key deduced. This compares to the proverbial “needle in a haystack.” If you think of the shared secret key as the “needle” that is being hunted, a long key length and a short duration of time before the key is regenerated significantly increases the size of the haystack. Although authentication schemes vary widely, all provide a method of credential-checking— requiring a user name and password, for instance, or a digital certificate.

Credentials are checked against an authentication server that determines their validity before granting a user access to the network. It is important that the scheme for proving identity cannot be easily counterfeited or “spoofed.”

Authentication

WPA-Enterprise and WPA2-Enterprise mutual authentication is initiated when a user associates with an access point. The AP blocks access to the network until the user can be authenticated.

WPA uses 802.1X authentication with one of the Extensible Authentication Protocol (EAP) types available today. 802.1X is a port-based network access control method for wired, as well as wireless, networks. EAP handles the presentation of users’ credentials, in the form of digital certificates (already widely used in Internet security), unique usernames and passwords, smart cards, secure IDs, or any other identity credential that the IT administrator is comfortable deploying. WPA allows flexibility in both the type of credentials that are used and in the selection of an EAP type. A wide number of standards-based EAP implementations are available for use, including EAP-Transport Layer Security (EAP-TLS), EAP-Tunneled Transport Layer Security (EAP-TTLS), and Protected Extensible Authentication Protocol (PEAP). With EAP, 802.1X creates a framework in which client workstations mutually authenticate with the authentication server.

This mutual authentication prevents users from accidentally connecting to “rogue” or unauthorized APs on the Wi-Fi network and also ensures that users who access the network are the ones who are supposed to be there. When a user requests access to the network, the client supplicant sends the user’s credentials to the authentication server via the AP (authenticator). If the server accepts the user’s credentials, the master TKIP key is sent to both the client and to the AP.

A 4-way handshake then takes place between the client and the AP, to complete the process of authenticating the AP with the client, establishing and installing the TKIP (WPA) or AES (WPA2) encryption keys. As the client begins communicating on the LAN, encryption protects the data exchanged between the client and the AP.

How Is User Identity Information Stored?

In the context of WPA and WPA2, the issues that need to be addressed when defining a data storage strategy are the location of user identity credential storage and choice of database, if an external one is chosen. This data storage decision will impact choice of an EAP type, which is dependent upon the type of identity database that is used and any special activities intended for support. One example of a special activity would be Subscriber Identity Module (SIM)-based roaming, which allows mobile users to associate with new APs without having to log in again. If not storing user identity credentials on the Authentication server, then managers can use SQL, Active Directory, etc.